Configure Authentication for Confluent Manager for Apache Flink

By default, Confluent Manager for Apache Flink® installs with authentication disabled. CMF supports mutual TLS (mTLS) authentication only.

mTLS provides two-way authentication to ensure that traffic between clients and the CMF node is secure, and that content from both directions can be trusted. For a review of mTLS and RBAC terminology, see Terminology.

Example

The following configuration file shows how to provision Confluent Manager for Apache Flink with a keystore and truststore to specify mTLS for all communication. It also shows how to configure a mounted volume to store certificates. You pass the configuration file to Helm when you install CMF.

# mtls-values.yaml
  cmf:
    ssl:
      keystore: /store/my-keystore
      keystore-password: #Optional in case the key store is password protected
      trust-store: /store/my-trust-store
      trust-store-password: #Optional in case the trust store is password protected
      client-auth: need # require clients with valid certificate
    authentication:
      type: mtls
      config:
        auth.ssl.principal.mapping.rules: #Optional to extract a specific principal from the certificate https://docs.confluent.io/platform/current/security/authentication/mutual-tls/tls-principal-mapping.html
  # Example to mount the certificate stores into your installation
  mountedVolumes:
    volumes:
      - name: certificates
        azureFile:
          secretName: azure-secret
          shareName: aksshare
          readOnly: true
    volumeMounts:
      - name: certificates
        mountPath: /store

When you make the helm install call, use the -f flag to pass the YAML file with the security information like the following:

helm upgrade --install cmf confluent/confluent-manager-for-apache-flink \
-f mtls-values.yaml

Related content

• How to Secure a Flink Job with Confluent Manager for Apache Flink